Method for classifying unknown electronic documents based upon at least one classificaton

ABSTRACT

A classification system includes a signature-based duplicate detector and an inductive classifier that share attribute information. To perform the duplicate detection and the classification, the duplicate detector and inductive classifier are first initialized by generating a lexicon of attributes for the duplicate detector and a classification model for the classifier. To develop a classification model, a training set of documents of known class are used by the classifier to determine the attributes of the documents that are most useful in classifying an unknown document. The model is developed from these attributes. Attribute information containing the attributes determined by the classifier is then passed to the duplicate detector and the duplicate detector uses the attribute information to generate the lexicon of attributes.

CLAIM OF PRIORITY

This is a continuation of U.S. patent application Ser. No. 11/016,930,filed Dec. 21, 2004, and titled “Simplifying Lexicon Creation in HybridDuplicate Detection and Inductive Classifier Systems,” which claimspriority under 35 USC §119(e) to U.S. Provisional Patent ApplicationSer. No. 60/543,283, filed on Feb. 11, 2004; Ser. No. 60/562,298, filedon Apr. 15, 2004; and Ser. No. 60/580,378, filed on Jun. 18, 2004, allof which are hereby incorporated by reference.

TECHNICAL FIELD

This description relates to duplicate detection and spam filtering.

BACKGROUND

With the advent of the Internet and a decline in computer prices, manypeople are communicating with one another through computersinterconnected by networks. A number of different communication mediumshave been developed to facilitate such communications between computerusers. One type of prolific communication medium is electronic mail(e-mail).

Unfortunately, because the costs of sending e-mail are relatively low,e-mail recipients are being subjected to mass, unsolicited, commerciale-mailings (colloquially known as e-mail spam or spam e-mails). Theseare akin to junk mail sent through the postal service. However, becausespam e-mail requires neither paper nor postage, the costs incurred bythe sender of spam e-mail are quite low when compared to the costsincurred by conventional junk mail senders. Due to this and otherfactors, e-mail users now receive a significant amount of spam e-mail ona daily basis. Spam e-mail impacts both e-mail users and e-mailproviders. For e-mail users, spam e-mail can be disruptive, annoying,and time consuming. For an e-mail service provider, spam e-mailrepresents tangible costs in terms of storage and bandwidth usage. Thesecosts may be substantial when large numbers of spam e-mails are sent.

SUMMARY

In one aspect, a document is classified using a duplicate detector andan inductive classifier. The inductive classifier receives a trainingset of documents of known classification and generates attributeinformation based on the set of training documents of knownclassification. The inductive classifier also develops a classificationmodel based on the attribute information.

The attribute information is provided to the duplicate detector and theduplicate detector generates a lexicon of attributes based on theattribute information. The duplicate detector also receives a set ofdocuments of known classification and calculates class signatures basedon the set of documents of known classification and the lexicon ofattributes.

An unknown document is received by the duplicate detector and theduplicate detector generates a query signature based on the unknowndocument and the lexicon of attributes. The query signature is comparedto the class signatures to determine whether the query signature matchesa class signature. When the query signature matches a class signature,the duplicate detector indicates that the unknown document has a classof the document corresponding to the class signature that matches thequery signature. When the query signature does not match a classsignature, the unknown document is provided to the inductive classifierand the inductive classifier applies the classification model to theunknown document to determine a class for the unknown document.

In another aspect, performing duplicate detection includes receivingattribute information from an inductive classifier and generating alexicon of attributes for use by a duplicate detector in performingduplicate detection based on the attribute information. The attributeinformation is generated by the inductive classifier during training ofthe inductive classifier.

Implementations may include one or more of the following features. Forexample, to generate attribute information based on the set of trainingdocuments, the inductive classifier may analyze the set of trainingdocuments to determine attributes in the set of training documents andcalculate mutual information scores for the attributes in the set oftraining documents. The inductive classifier may select a portion of theattributes based on the mutual information scores to generate theattribute information.

The duplicate detector may generate the lexicon of attributes byselecting a specified number of the attributes with the highest mutualinformation scores. The duplicate detector may create attribute clustersfrom the selected attributes such that the attribute informationincludes the attribute clusters.

To generate a query signature, the duplicate detector may determineunique attributes in the unknown document and determine an intersectionbetween the unique attributes in the unknown document and the lexicon.The query signature may be calculated based on the intersection.

Generating a lexicon of attributes may include generating a primarylexicon and a secondary lexicon based on the attribute information. Whenthe intersection between the unknown document and the primary documentdoes not exceed the threshold, attributes from the secondary lexiconthat intersect with the unique attributes in the unknown document may beadded to the intersection to create an augmented intersection thatexceeds the threshold. The signature for the document may be calculatedbased on the augmented intersection.

Generating a primary lexicon may include designating a specified numberof the attributes in the set of training documents with the highestmutual information scores as the primary lexicon. At least a portion ofthe attributes other than the specified number of attributes with thehighest mutual information scores may be designated as the secondarylexicon.

The unknown document may include an unknown e-mail. The set of documentsof known classification may include a set of spam e-mails and the classsignatures may be spam signatures. When the query signature matches aclass signature, the duplicate detector may indicate that the unknowndocument is spam.

Implementations of the described techniques may include hardware, amethod or process, or computer software on a computer-accessible medium.

The details of one or more implementations are set forth in theaccompanying drawings and the description below. Other features will beapparent from the description and drawings, and from the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram of an exemplary networked computingenvironment that supports e-mail communications and in which spamfiltering may be performed.

FIG. 2 is a high-level functional block diagram of an e-mail serverprogram that may execute on an e-mail server to provide large-scale spamfiltering.

FIG. 3 is a flowchart of a process that may be employed by a duplicatedetector to apply a signature-based duplicate detection technique toidentify spam e-mails.

FIG. 4 is a flowchart of a process that may be employed by an e-mailclassifier to classify e-mails as spam or legitimate.

FIG. 5 is a block diagram of an implementation of the duplicate detectorshown in FIG. 2.

FIG. 6 is a block diagram of an implementation of the inductive e-mailclassifier shown in FIG. 2.

FIGS. 7A-11 show exemplary processes for operating the duplicatedetector of FIG. 5 and the e-mail classifier of FIG. 6 in whichattribute information is shared.

FIGS. 12A and 12B are flowcharts showing alternate processes performedby the duplicate detector of FIG. 5 for determining spam signatures andquery signatures.

DETAILED DESCRIPTION

A classification system includes a signature-based duplicate detectorand an inductive classifier that share attribute information. Thesignature-based duplicate detector determines whether two documents arethe same by determining if the projections of the two documents onto alexicon of attributes are the same. To determine whether the projectionsare the same, the projection of each document is mapped to a signature,and when two documents' signatures match, they are considered to beduplicates.

Accordingly, to determine whether a particular document belongs to aparticular class, the duplicate detector initially determines a set ofclass signatures based on a lexicon of attributes and a set of documentsof known class. When a new document is received, the duplicate detectorcalculates a query signature for the document and compares the querysignature to the class signatures to determine if the query signaturematches a class signature. If the query signature matches a classsignature, then the unknown document is considered a near-duplicate ofthe corresponding document of known class. If this is the case, then theunknown document is considered to be the same class as thenear-duplicate document.

If the query signature does not match a class signature, then theunknown document is passed to the inductive classifier. The inductiveclassifier uses a classification model to determine one or more classscores for the unknown document, where the class score indicates thelikelihood of the document belonging to a particular class. The unknowndocument is then classified based on the class score.

To perform the duplicate detection and the classification, the duplicatedetector and inductive classifier are first initialized by generating alexicon of attributes for the duplicate detector and a classificationmodel for the classifier. The inductive classifier employs machinelearning techniques to develop the classification model that allows theclassifier to classify an unknown document. To develop a classificationmodel, a training set of documents of known class are used by theclassifier to determine the attributes of the documents that are mostuseful in classifying an unknown document. The model is developed fromthese attributes.

Attribute information containing the attributes determined by theclassifier is then passed to the duplicate detector. The duplicatedetector uses the attribute information to generate the lexicon ofattributes, which is used both during initialization to generate theclass signatures and during duplicate detection to calculate the querysignatures. Using the attribute information from the classifier mayeliminate the need of the duplicate detector to separately analyze a setof documents to generate the lexicon.

Such duplicate detection and classification techniques are describedbelow as applied to e-mail spam filtering. However, the techniques maybe used for spam filtering in other messaging media, including both textand non-text media. For example, spam may be sent using instantmessaging or short message service (SMS), or may appear on Usenetgroups. Similarly, the techniques may be applied, for instance, tofilter spam sent in the form of images, sounds, or video when anappropriate set of attributes is selected.

Moreover, the techniques described may be applied to other areas ofclassification in which it is beneficial to determine a class of adocument based on detecting near-duplicates of documents of known classand classifying those documents that are not near-duplicates ofdocuments with a known class. For example, news stories may beclassified based on word attributes into categories such as sports ortechnology, while songs may be classified based on sound attributes intocategories such as classical or rock.

More generally, the described techniques may be applied to text ornon-text items in a variety of document duplication applications.Therefore, the term “document” should be understood to generally referto a computer file that contains data for use by applications, such as,for example, a file that contains text, images, sounds, video, othermedia, or a combination thereof. Accordingly, the attributes may be textor non-text attributes as appropriate.

FIG. 1 illustrates an exemplary networked computing environment 100 thatsupports e-mail communications and in which spam filtering may beperformed. Computer users are distributed geographically and communicateusing client systems 110 a and 110 b. Client systems 110 a and 110 b areconnected to ISP networks 120 a and 120 b, respectively. Whileillustrated as ISP networks, networks 120 a or 120 b may be any network,e.g. a corporate network. Clients 110 a and 110 b may be connected tothe respective ISP networks 120 a and 120 b through variouscommunication channels such as a modem connected to a telephone line(using, for example, serial line internet protocol (SLIP) orpoint-to-point protocol (PPP)) or a direct network connection (using,for example, transmission control protocol/internet protocol (TCP/IP)).E-mail or other messaging servers 130 a and 130 b also are connected toISP networks 120 a and 120 b, respectively. ISP networks 120 a and 120 bare connected to a global network 140 (e.g., the Internet) such that adevice on one ISP network can communicate with a device on the other ISPnetwork. For simplicity, only two ISP networks 120 a and 120 b have beenillustrated as connected to Internet 140. However, there may be a largenumber of such ISP networks connected to Internet 140. Likewise, manye-mail servers and many client systems may be connected to each ISPnetwork.

Each of the client systems 110 a and 110 b and e-mail servers 130 a and130 b may be implemented using, for example, a general-purpose computercapable of responding to and executing instructions in a defined manner,a personal computer, a special-purpose computer, a workstation, aserver, a device such as a personal digital assistant (PDA), acomponent, or other equipment or some combination thereof capable ofresponding to and executing instructions. Client systems 110 a and 110 band e-mail servers 130 a and 130 b may receive instructions from, forexample, a software application, a program, a piece of code, a device, acomputer, a computer system, or a combination thereof, whichindependently or collectively direct operations. These instructions maytake the form of one or more communications programs that facilitatecommunications between the users of client systems 110 a and 110 b. Suchcommunications programs may include, for example, e-mail programs, IMprograms, file transfer protocol (FTP) programs, or voice-over-IP (VoIP)programs. The instructions may be embodied permanently or temporarily inany type of machine, component, equipment, storage medium, or propagatedsignal that is capable of being delivered to a client system 110 a and110 b or the e-mail servers 130 a and 130 b.

Each of client systems 110 a and 110 b and e-mail servers 130 a and 130b includes a communications interface (not shown) used by thecommunications programs to send communications. The communications mayinclude e-mail, audio data, video data, general binary data, or textdata (e.g., data encoded in American Standard Code for InformationInterchange (ASCII) format or Unicode).

Examples of ISP networks 120 a and 120 b include Wide Area Networks(WANs), Local Area Networks (LANs), analog or digital wired and wirelesstelephone networks (e.g., a Public Switched Telephone Network (PSTN), anIntegrated Services Digital Network (ISDN), or a Digital Subscriber Line(xDSL)), or any other wired or wireless network including, e.g., acorporate LAN or WAN. Networks 120 a and 120 b may include multiplenetworks or subnetworks, each of which may include, for example, a wiredor wireless data pathway.

Each of e-mail servers 130 a and 130 b may handle e-mail for usersconnected to ISP network 110 a or 110 b. Each e-mail server may handlee-mail for a single e-mail domain (e.g., aol.com), for a portion of adomain, or for multiple e-mail domains. While not shown, there may bemultiple, interconnected e-mail servers working together to providee-mail service.

An e-mail user, such as a user of client system 110 a or 110 b,typically has one or more e-mail mailboxes on an e-mail system, whichmay incorporate e-mail server 130 a or 130 b. Each mailbox correspondsto an e-mail address. Each mailbox may have one or more folders in whiche-mail is stored. E-mail sent to one of the e-mail user's e-mailaddresses is routed to the corresponding e-mail server 130 a or 130 band placed in the mailbox that corresponds to the e-mail address towhich the e-mail was sent. The e-mail user then uses, for example, ane-mail client program executing on client system 110 a or 110 b toretrieve the e-mail from e-mail server 130 a or 130 b and view thee-mail.

The e-mail client programs executing on client systems 110 a and 110 balso may allow one of the users to send e-mail to an e-mail address. Forexample, the e-mail client program executing on client system 110 a mayallow the e-mail user of client system 110 a (the sending user) tocompose an e-mail message and address the message to a recipientaddress, such as an e-mail address of the user of client system 110 b.When the sender indicates the e-mail is to be sent to the recipientaddress, the e-mail client program executing on client system 110 acommunicates with e-mail server 130 a to handle the sending of thee-mail to the recipient address. For an e-mail addressed to an e-mailuser of client system 110 b, for example, e-mail server 130 a sends thee-mail to e-mail server 130 b. E-mail server 130 b receives the e-mailand places it in the mailbox that corresponds to the recipient address.The user of client system 110 b may then retrieve the e-mail from e-mailserver 130 b, as described above.

In an e-mail environment such as that shown, a spammer typically uses ane-mail client or server program to send similar spam e-mails tohundreds, if not millions, of e-mail recipients. For example, a spammermay target hundreds of recipient e-mail addresses serviced by e-mailserver 130 b on ISP network 120 b. The spammer may maintain the list oftargeted recipient addresses as a distribution list. The spammer may usethe e-mail program to compose a spam e-mail and instruct the e-mailprogram to use the distribution list to send the spam e-mail to therecipient addresses. The e-mail is then sent to e-mail server 130 b fordelivery to the recipient addresses. Thus, in addition to receivinglegitimate e-mails, e-mail server 130 b also may receive largequantities of spam e-mail, particularly when many hundreds of spammerstarget e-mail addresses serviced by e-mail server 130 b.

Thus, e-mail systems tend to be used by any given spammer to send largenumbers of substantially similar, although non-identical, e-mails. Whilethe content of each spam e-mail contains essentially the same message,the content of each e-mail is normally varied to a degree. For example,mass e-mailings are often personalized by including the recipient user'sfirst/last name or other personal information. Spammers also may addrandom text to their e-mails so as to foil some spam detection schemes,such as those based on matching exact textual strings in the e-mail.Usually, the core message of the e-mail remains the same, with random orneutral text added to confuse such “exact-match” spam filters. Often theextra text is inserted in such a way that it is not immediately visibleto the users (e.g., when the font has the same color as the background).Other randomization strategies of spammers include: appending randomcharacter strings to the subject line of the e-mail, changing the orderof paragraphs, or randomizing the non-alphanumeric content.

Furthermore, spammers also may change the words used in the e-mail toconvey their message. However, because spam e-mails are typicallyoriented around the same topics (e.g., pornography), the expressivenessof their content is limited. Thus, even though spammers may attempt torandomize the content of their e-mails, the limitation on theexpressiveness of their content results in essentially the same e-mailbeing sent out, even though the e-mails are not exactly identical.

Consequently, duplicate detection systems that identify nearly identicaldocuments may be useful to filter spam e-mails, either when they enteran e-mail system or later on in the e-mail system (e.g., at therecipient's client system). Identification of spam e-mails at the entrypoint of an e-mail system may be particularly desirable from the e-mailservice provider's perspective, as detection at that point may allow thee-mail service provider to prevent the propagation of such e-mailsthrough the system, thereby reducing the waste of computation andstorage resources on unsolicited messages.

In addition, an effective spam filtering system may use a variety offiltering techniques. For instance, an inductive classifier may beemployed along-side a duplicate detection system as another component ina spam filtering system. An inductive classifier employs machinelearning techniques to develop a classification model that allows theclassifier to classify an unknown e-mail or other document as spam ornon-spam. Typically, a training set of spam and non-spam e-mails orother documents are used by the classifier to determine the attributesthat are most useful in classifying an unknown document and the model isdeveloped from these attributes. The model may then be used to determinea class score for unknown e-mails, where the class score indicates thelikelihood of the e-mail belonging to a particular class. Typically, ifthe class score exceeds a classification threshold, then the unknowne-mail is classified as a member of the particular class (e.g., spam).

Referring to FIG. 2, to provide spam filtering by duplicate detectionand classification, an e-mail server program 230 may execute on ane-mail system (which may incorporate e-mail server 130 a or 130 b).E-mail server program 230 includes a duplicate detector 232, aninductive classifier 236, and an e-mail handler 234. During operation,the incoming e-mail arriving at e-mail server program 230 is passed toduplicate detector 232. Duplicate detector 232 applies duplicatedetection techniques to the e-mail to determine whether the e-mail is aduplicate of a known spam e-mail and, therefore, is a spam e-mailitself. Those e-mails that are spam duplicates 238 are forwardeddirectly to e-mail handler 234, along with an indication that the e-mailis spam. Those e-mails that are not spam duplicates 240 are forwarded toe-mail classifier 236, which classifies them as spam or legitimate.E-mail classifier 236 then forwards the spam e-mails 236 and legitimatee-mails 242 to e-mail handler 234 along with an indication of whetherthey are spam or legitimate.

E-mail handler 234 then handles the e-mail in a manner that depends onthe policies set by the e-mail service provider. For example, e-mailhandler 234 may delete e-mails indicated as spam, while deliveringe-mails marked as legitimate to an “inbox” folder of the correspondinge-mail account. Alternatively, e-mail labeled as spam may be deliveredto a “spam” folder instead of being deleted.

Referring to FIG. 3, a process 300 may be employed by duplicate detector232 to apply a signature-based duplicate detection technique to identifyspam e-mails. In signature, or fingerprint, based duplicate detectionsystems, two documents are considered to be the same if theirprojections onto a lexicon of attributes are the same (where theattributes are typically those that have characteristics particularlysuited to identifying a given document). To determine whether theprojections are the same, the projection of each document is normallymapped to a signature, and when two documents' signatures match, theyare considered to be duplicates.

For example, in the I-Match approach described by Chowdhury et al. in“Collection Statistics For Fast Duplicate Document Detection,” ACMTransactions on Information Systems, 20(2):171-191, 2002 [hereinafterChowdhury], two documents are considered to be the same if theprojection of the unique words in the documents onto a lexicon of wordsis the same. To that end, a lexicon of words is developed, where thewords chosen are those that have characteristics that are most useful inspecifically identifying a given document. More particularly, inI-Match, the lexicon is developed by examining a collection of documentsand selecting the words in the collection that have a mid-range inversedocument frequency (idf) or mid-range normalized inverse documentfrequency (nidf).

For a given document, the set of unique words (i.e., each differentword) in the document is identified. For example, if the word “cabin” isused in a document multiple times, it is listed once in the set ofunique words. The intersection between the set of unique words and thelexicon is obtained (i.e., the words that are in both the lexicon andthe set of unique words are identified). This intersection is thenmapped to a single hash value using a hash algorithm such as the SecureHash Algorithm 1 (SHA1) developed by the National Institute of Standardsand Technology (described in Chowdhury and in RFC 3174, available athttp://www.faqs.org/rfcs/rfc3174.html). If the hash value matches thehash value of another document, then the two documents are considered tobe duplicates of one another.

Using such techniques, after a collection of known spam e-mails has beenobtained, the signatures of the known spam e-mails may be calculated toobtain spam signatures, which are then used to determine if new e-mailsare duplicates of the known spam e-mails, and hence, are spam e-mailsthemselves.

Accordingly, in process 300, duplicate detector 232 accesses spamsignatures for a collection of known spam e-mails (305). When theduplicate detector 232 subsequently receives an incoming e-mail (310),duplicate detector 232 applies the duplicate detection techniques to theincoming e-mail to obtain a signature of the e-mail (a “querysignature”) (315). Duplicate detector 232 then compares the querysignature to the spam signatures to determine if the query signaturematches one of the spam signatures (320). If the query signature doesnot match a spam signature (320), then duplicate detector 232 forwardsthe incoming e-mail to e-mail classifier 236. On the other hand, if thequery signature does match a spam signature (320), then the incominge-mail is forwarded to the e-mail handler 234 with an indication thatthe e-mail is spam. E-mail handler 234 then handles the incoming e-mailaccordingly.

Referring to FIG. 4, a process 400 may be employed by classifier 236 toclassify an unknown e-mail received from duplicate detector 232 as spamor legitimate. As described, an inductive classifier uses a training setof e-mails to develop a classification model. To do so, the training setof e-mails are analyzed to determine the attributes of the e-mails inthe training set. Attribute selection techniques are then applied todetermine the attributes that discriminate the best between the classes(e.g., that help to distinguish spam e-mails from legitimate). TheMutual Information (MI) criterion, for example, is one such techniqueused to determine how well particular attributes discriminate betweenthe classes. Generally, this criterion scores the attributes, where thescores provide a measure of how well an attribute discriminates betweenclasses. The top N attributes are then selected (where N is chosen bythe system designer and is typically system dependent) and used todevelop a classification model, which is then applied to unknown e-mailsto determine the class of the e-mail.

Accordingly, in process 400, when an unknown e-mail is received fromduplicate detector 232 (405), the classification model is applied to theunknown e-mail to classify the unknown e-mail as spam or legitimate(410). To do so, the model may be used to determine a spam score for theunknown e-mail, where the spam score indicates the likelihood that thee-mail is spam. If the spam score exceeds a classification threshold,then the unknown e-mail is classified as spam, otherwise it isclassified as legitimate. If the unknown e-mail is classified as spam,then e-mail classifier 236 forwards the unknown e-mail to e-mail handler234 with an indication that the e-mail is spam. On the other hand, ifthe unknown e-mail is classified as legitimate, then the unknown e-mailis forwarded to the e-mail handler 234 with an indication that thee-mail is legitimate. E-mail handler 234 then handles the incominge-mail accordingly.

Thus, inductive classifiers and some signature-based duplicate detectiontechniques employ some form of attribute selection. In the case ofinductive classifiers, attribute selection is used to determine theattributes that best discriminate between the classes. In some duplicatedetection systems, attribute selection is performed to obtain a lexiconof attributes that are the most useful at identifying a particulardocument. Attribute selection techniques used in inductive classifiers,such as the MI criterion, tend to select attributes that are both fairlyfrequent and, at the same time, are effective for discriminating betweenthe classes. Similarly, some techniques used to build lexicons insignature-based duplicate detection systems, such as selectingattributes according to their idf or nidf, tend to select attributesthat are fairly frequent. As such, in a hybrid spam filtering systemthat uses both an inductive classifier and a signature-based duplicatedetector that employs a lexicon, the attributes selected during trainingof the inductive classifier may be used to generate the lexicon used inthe duplicate detector. Accordingly, referring again to FIG. 2,attribute information 244 may be shared between classifier 236 andduplicate detector 232 in e-mail server program 230 so that a lexicon ofattributes can be generated by duplicate detector 232 from theattributes selected by the e-mail classifier 236 during training. Usingthe attributes selected during training of e-mail classifier 236 togenerate the lexicon used by duplicate detector 232 eliminates the needfor duplicate detector 232 to analyze a collection of documents to builda lexicon, thereby simplifying the process of initializing duplicatedetector 232 and e-mail classifier 236 for duplicate detection andclassification

FIGS. 5 and 6 show exemplary implementations of duplicate detector 232and classifier 236 in which attribute information is shared. FIGS. 7A-11show exemplary processes for operating duplicate detector 232 andclassifier 236. Particularly, FIGS. 7A-9 show processes performed toinitialize duplicate detector 232 and e-mail classifier 236, while FIGS.10 and 11 show particular implementations of actions 315 (FIG. 3) and410 (FIG. 4), respectively, performed by duplicate detector 232 ande-mail, classifier 236 to perform duplicate detection and classificationof incoming e-mails.

Referring to FIG. 5, duplicate detector 232 includes a lexicon generator515, a lexicon storage 520, an attribute analyzer 530, an attributeselector/intersection filter 540, a signature generator 550, a spamsignature storage 560, a signature comparator 570, and a mail forwarder580. The various components of duplicate detector 232 generally functionand cooperate during two phases: spam signature development andduplicate detection. To simplify an understanding of the operation ofduplicate detector 232 during each phase, the data flow between thevarious components is shown separately for each phase. A non-broken lineis shown for data flow during spam signature development and a brokenline with alternating long and short dashed lines indicates the dataflow during duplicate detection.

Referring to FIG. 6, e-mail classifier 236 includes an attributeanalyzer 630, an attribute reducer 640, a classifier 650, a thresholdselector 660, a threshold comparator 670, and a mail forwarder 680. Thevarious components of e-mail classifier 236 generally function andcooperate during three phases: training, optimization, andclassification. To simplify an understanding of the operation of e-mailclassifier 236 during each phase, the data flow between the variouse-mail classifier 236 components is shown separately for each phase. Anon-broken line is shown for data flow during the training phase, a linebroken at regular intervals (i.e., dotted) indicates data flow duringthe optimization phase, and a broken line with alternating long andshort dashed lines indicates the data flow during classification.

Referring to FIGS. 6 and 7A, in general, during the training phase ofthe e-mail classifier 236 (i.e., when a classification model isdeveloped) (700), a set of m e-mails (the “training e-mails”) having aknown classification (e.g., known as spam or legitimate) are accessed(705) and used to train e-mail classifier 236. The set of m traininge-mails may contain only unique e-mails (i.e., duplicate ornear-duplicate e-mails may be removed from a set of spam e-mails to formthe training set). To train e-mail classifier 236, the m traininge-mails are analyzed to obtain the n attributes of the set of traininge-mails (710) and to form an n-by-m attribute matrix (715). Referring toFIGS. 6 and 7B, attribute selection is performed to select N attributesof the n attribute set, where N<n (720), and the n-by-m attribute matrixis reduced accordingly to an N-by-m reduced attribute matrix (725). TheN-by-m reduced attribute matrix is used along with the knownclassification of the training e-mails to obtain an internalclassification model (730).

More particularly, and with reference to the unbroken reference flowpathof FIG. 6, a set of m training e-mails 610 a is input into e-mailclassifier 236 and applied to attribute analyzer 630 (710). Duringtraining, attribute analyzer 630 analyzes the set of m training e-mailsto determine n attributes of the set of m training e-mails (the“attribute set”). The attribute set may be composed of text and non-textattributes. Text attributes generally include the text in the bodies andsubject lines of the e-mails. Non-text attributes may include variousother attributes of the e-mails, such as formatting attributes (e.g.,all caps), address attributes (e.g., multiple addressees or from aspecific e-mail address), or other attributes of an e-mail message suchas whether there is an attachment or the e-mail contains image, audio,or video features.

Attribute analyzer 630 includes a text analyzer 630 b and a non-textanalyzer 630 a. During training, text analyzer 630 b identifies textattributes of each e-mail message in the set of m training e-mails. Theattributes may be, e.g., words or sets of words that form phrases, wherea word may be defined as a set of alphanumeric characters delimited bywhitespace or punctuation. Additionally, the attributes may betokenized. Accordingly, text analyzer 630 b may parse each traininge-mail to determine the text attributes and tokenize the determined textattributes. Text analyzer 630 b keeps track of tokens and the e-mailswithin which they occur.

Non-text analyzer 630 a determines whether each non-text attribute ispresent in each training e-mail. The exact non-text attributes for whicheach training e-mail is analyzed typically is a matter of design andempirical judgment, and may be domain specific. For each non-textattribute, a binary value is generated, indicating whether the attributeis present or not.

Attribute analyzer 630 creates a sparse n-by-m attribute matrix (where nis the total number of text and non-text attributes) from the results oftext analyzer 630 b and non-text analyzer 630 a (715). Each entry in thematrix is a binary value that indicates whether the n^(th) attribute ispresent in the m^(th) e-mail.

The n-by-m attribute matrix is provided to attribute reducer 640, whichreduces the n-by-m attribute matrix to a sparse N-by-m reduced attributematrix (where N is less than n), using, for example, the MI criterion(720 and 725). In other words, attribute reducer 640 selects a reducedset of the n attributes (the “reduced attribute set”) and reduces thesize of the attribute matrix accordingly. To do so, attribute reducer640 calculates the mutual information score for each of the nattributes, ranks the scored attributes, and selects the top Nattributes as the reduced attribute set (where N is selected by thesystem designer). The optimal choice of N may depend on the particularsystem and may be determined through trial and error. Attribute reducer640 also transmits attribute information 505 including the attributesand their respective mutual information scores to duplicate detector232, which uses the attribute information 505 as described with respectto FIG. 8. The attribute information provided to duplicate detector 232may include only the textual attributes and their scores, only thenon-textual attributes and their scores, or both the textual andnon-textual attributes and their scores or some subset of any of thesecombinations.

Techniques other than the MI criterion may be used, alternatively oradditionally, to implement such attribute selection. For example,document frequency thresholding, term strength, or χ² may be suitabletechniques.

The N selected attributes are communicated to attribute analyzer 630,which analyzes the incoming e-mails during the optimization phase andthe classification phase for the N selected attributes instead of all ofthe attributes in the incoming e-mails.

The N-by-m reduced attribute matrix is input into classifier 650 todevelop a classification model (730). Each row of the N-by-m reducedattribute matrix corresponds to one of the m training e-mails andcontains data indicating which of the N selected attributes are presentin the corresponding training e-mail. Each row of the reduced attributematrix is applied to classifier 650. As each row is applied toclassifier 650, the known classification of the training e-mail to whichthe row corresponds also is input.

In response to the N-by-m reduced attribute matrix and correspondingclassifications, classifier 650 builds an internal classification modelthat is used to evaluate future e-mails with unknown classification(i.e., non-training e-mails) (730). Classifier 650 may be implementedusing known probabilistic or other classification techniques. Forexample, classifier 650 may be a support vector machine (SVM), a NaïveBayesian classifier, or a limited dependence Bayesian classifier.Classifier 650 also may be implemented using known techniques thataccount for misclassification costs when constructing the internalmodel. For example, A. Kolcz and J. Alspector, SVM-based Filtering ofE-mail Spam with Content-specific Misclassification Costs, ICDM-2001Workshop on Text Mining (TextDM-2001), November 2001 provides adiscussion of some techniques for training a classifier in a manner thataccounts for misclassification costs.

Referring to FIGS. 5 and 8, duplicate detector 232 uses the attributeinformation 505 received from attribute reducer 640 during a spamsignature development phase 800 to develop a lexicon, which is used witha set of known spam e-mails to generate spam signatures. In general,during the spam signature development phase, the attribute information505 is received from attribute reducer 640 (805). A lexicon ofattributes L is generated from the attribute information 505. Inaddition, a set of known spam e-mails is received (815). For a spame-mail d from the set, the unique attributes U in the spam e-mail d aredetermined (820). The intersection between the unique attributes U andthe lexicon L is then determined (i.e., the unique attributes U that arealso in the lexicon L are determined) (825). The spam signature for thespam e-mail d is then calculated based on the intersection (830) andstored. This process is continued for each spam e-mail (835) until thespam signatures for the e-mails in the set of known spam e-mails arecalculated and stored (840).

More particularly, and with reference to the unbroken reference flowpathof FIG. 5, the attribute information 505 is received by the lexicongenerator 515 (805). The lexicon generator then generates the lexicon ofattributes L (810) and stores the lexicon in lexicon storage 520. Togenerate the lexicon L from the attribute information 505, theattributes are ranked according to their mutual information scores (ifnot done so already) and the attributes with the top M scores areselected for the lexicon L (where M is selected by the system designer).The optimal choice of M may depend on the particular system and may bedetermined through trial and error. The choice of M may be the same ordifferent from the choice of N. If M is the same as N, then attributereducer 640 may send only the N attributes to duplicate detector 232,with the N attributes then being used as the lexicon L.

The attributes in lexicon L may include both text and non-textattributes. Alternatively, only text attributes or only non-textattributes may be used. If attribute reducer 640 transmits both text andnon-text attributes in the attribute information 505, and only one orthe other is used by duplicate detector 232, then lexicon generator 515may ignore the unused attributes. If only text or non-text attributesare used, attribute reducer 640 may send only the one used in theattribute information 505.

A set of known spam 510 a are received by duplicate detector 232 (815)and applied to an attribute analyzer 530. For a given e-mail din the setof known spam e-mails, attribute analyzer 530 determines the uniqueattributes U in e-mail d (820). Attribute analyzer 530 may employ anon-text analyzer 530 a to determine non-text attributes (if used byduplicate detector 232) and a text analyzer 530 b to determine textattributes (if used by duplicate detector 232).

To determine the unique attributes U, text analyzer 530 a may, forexample, parse the body and subject line of the e-mail d to tokenize thecontents of the body and retain a given token if that token has not beenencountered before in the body of e-mail d. The tokenization scheme usedby text analyzer 530 a may be the same as the tokenization scheme usedby text analyzer 630 a so as to assure that the tokens for the uniqueattributes have the same form as the tokens for the attributes inlexicon L. In some implementations, text analyzer 530 a may only retainattributes that meet a certain criteria (e.g., is at least fourcharacters long or has only one digit) and may apply a common formattingto the attributes (e.g., change all letters to lower case). Similarly,if non-text attributes are used, non-text analyzer 530 b may parsee-mail d to determine which non-text attributes are included in e-maild.

Next, attribute analyzer 530 passes the unique attributes U to attributeselector/intersection filter 540. Attribute selector 540 determines theintersection between unique attributes U and the primary lexicon L(825). To do so, attribute selector 540 accesses the lexicon L fromlexicon storage 520. Attribute selector then filters the uniqueattributes U against the lexicon L to determine the unique attributes Uthat are also in lexicon L. The unique attributes U that are also in Lform the intersection between U and L.

Attribute selector 540 then passes the intersection to signaturegenerator 550. Signature generator 550 calculates the signature fore-mail d based on the intersection (830). To do so, a hash algorithmthat maps the set of intersection tokens to a single hash value may beused, where the single hash value is the signature for the e-mail d. Forexample, the SHA1 algorithm as described and implemented in Chowdhurymay be used. The hash value is then stored as a spam signature in spamsignature storage (560).

If there is another spam e-mail in the set of known spam e-mails (835),then the spam signature for that e-mail is also calculated as describedabove (835). Otherwise, the spam signature development phase ends (840).

Referring to FIGS. 6 and 9, in parallel with the spam signaturedevelopment phase of duplicate detector 232 (or before or after), e-mailclassifier 236 performs an optimization phase 900 to establish aninitial classification threshold. In general, during the optimizationphase 900 a set of e e-mails (the “evaluation e-mails”) having a knownclassification (e.g., are known to either be spam or legitimate) isaccessed (905) and used to set the initial classification threshold ofe-mail classifier 236. The set of e evaluation e-mails may contain onlyunique e-mails (i.e., duplicate or near-duplicate e-mails may be removedfrom a set of known spam e-mails to form the evaluation set).

To set the initial classification threshold, each e-mail in the set of eevaluation e-mails is analyzed to determine whether or not it containsthe N attributes of the reduced attribute set (910). This data is usedto obtain a spam score for the e-mail and a classification output isproduced from the spam score (915). The classification output for eache-mail in the reduced set of evaluation e-mails is used along with theknown classification of each e-mail in the set to obtain an initialthreshold value that minimizes the misclassification costs (920). Theclassification threshold then is set to this value (925).

In particular, and with reference to the dotted line of FIG. 6, duringthe initial threshold setting phase, the set of e evaluation e-mails 610b is input into classifier 232 and applied to attribute analyzer 630.For each e-mail, attribute analyzer 630 determines whether or not thee-mail has the N attributes of the reduced attribute set (determined at720 in FIG. 7B) and constructs an N element attribute vector (910). Eachentry in the N element attribute vector is a binary value that indicateswhether the N^(th) attribute is present in the e-mail.

The N element attribute vector for each evaluation e-mail is input intoclassifier 650, which applies the internal model to the attribute vectorto obtain a spam score that indicates the likelihood that thecorresponding e-mail is spam. A classification output is produced fromthis spam score (915). The classification output, for example, may bethe spam score itself or a linear or non-linear scaled version of thespam score. The classification output is input to threshold selector660, along with the corresponding; known classification of the e-mail.

Once a classification output for each e-mail in the reduced set ofevaluation e-mails has been obtained and input to threshold selector660, along with the corresponding classification, threshold selector 660determines the initial threshold (920). Conceptually, threshold selectorconstructs a Receiver Operating Characteristic (ROC) curve from theclassification output and classifications and chooses an operating pointon the ROC curve that minimizes misclassification costs.

The misclassification costs of a given classifier F with respect to aset of unique e-mails can be expressed in one exemplary representationas:L _(u) =π·FP+(1−π)·cost·FNwhere the false-positive rate (FP) is:

${FP} = \frac{\sum\limits_{x \in l_{u}}\left\lbrack {{F(x)} = l} \right\rbrack}{s_{u}}$and the false-negative rate (FN) is:

${FN} = \frac{\sum\limits_{x \in s_{u}}\left\lbrack {{F(x)} = s} \right\rbrack}{l_{u}}$and where π=s_(u)/E_(u), E is an evaluation set of e-mail, E_(u) is theset of unique e-mails in set E, s_(u) is the spam e-mail subset ofE_(u), and l_(u) is the legitimate e-mail subset of E_(u). [F(x)=s] isequal to one when the classifier returns spam as the class, zerootherwise. [F(x)=l] is equal to one when the classifier classifies ane-mail as legitimate, zero otherwise. The cost of misclassifying a spame-mail as legitimate is assumed to be one, while cost represents theassigned cost of misclassifying legitimate e-mail as spam e-mail. Theexact value of this parameter is chosen as a matter of design. Forexample, a value of 1000 may be chosen. As described further below, someimplementations may use values of cost that depend on a legitimatee-mail's subcategory.

The relationship between FP and FN for a given classifier is known asthe Receiver Operating Characteristic. Different choices of theclassification threshold for a classifier result in different pointsalong the classifier's ROC curve. Threshold selector 660 uses theclassification outputs and known classifications to determine thethreshold value that sets the operation of classifier 236 at a point onthe classifier's ROC curve that minimizes L_(u), i.e. themisclassification costs. For example, threshold selector 660 mayevaluate L_(u) for a number of different threshold values and choose theone that minimizes L_(u).

Once threshold selector 660 determines the initial threshold value thatminimizes the misclassification costs, the threshold value is input tothreshold comparator 670 and used as an initial classification threshold(925). Threshold comparator 670 uses this threshold duringclassification to make a decision as to whether an e-mail is spam ornot.

Once the processes of FIGS. 7A-9 have been performed, duplicate detector232 and e-mail classifier are initialized and ready to perform spamfiltering on unknown e-mails by duplicate detection and classification(which are generally shown in FIGS. 3 and 4). FIGS. 10 and 11 showprocesses performed by duplicate detector 232 and e-mail classifier 236,respectively, to perform spam filtering by duplicate detection andclassification. Specifically, FIG. 10 shows a process 1000 forimplementing action 315 of FIG. 3, while FIG. 11 shows a process 1100for implementing action 410 in FIG. 4.

Referring to FIGS. 3, 5, and 10, during the duplicate detection phase,in general, an incoming e-mail of unknown class is received by duplicatedetector 232 (310). The unique attributes U in the incoming e-mail aredetermined (1005). The intersection between the unique attributes U andthe lexicon L is then determined (i.e., the unique attributes U that arealso in the lexicon L are determined) (1010). A query signature for theincoming e-mail is then calculated based on the intersection (1015). Thequery signature is then compared to the spam signatures to determine ifthe query signature matches a spam signature (320). If the querysignature matches a spam signature, then the incoming e-mail isforwarded to e-mail handler 234 along with an indication that theincoming e-mail is spam (330). If the query signature does not match aspam signature, then the incoming e-mail is forwarded to e-mailclassifier 236 for classification (325).

More particularly, and with reference to the long-and-short dashedreference line of FIG. 5, an incoming e-mail 510 c is received byduplicate detector 232 and applied to attribute analyzer 530 (310).Attribute analyzer 530 determines the unique attributes U in theincoming e-mail (1005). Next, attribute analyzer 530 passes the uniqueattributes U to attribute selector/intersection filter 540. Attributeselector 540 determines the intersection between unique attributes U andthe primary lexicon L (1010). To do so, attribute selector 540 accessesthe lexicon L from lexicon storage 520. Attribute selector then filtersthe unique attributes U against the lexicon L to determine the uniqueattributes U that are also in lexicon L. The unique attributes U thatare also in L form the intersection between U and L.

Attribute selector 540 then passes the intersection to signaturegenerator 550. Signature generator 550 calculates the query signaturefor the incoming e-mail based on the intersection (1015). The querysignature is then forwarded to a signature comparator 570. Signaturecomparator 570 accesses the spam signatures from spam signature storage560 and compares the query signature to the spam signatures to determineif the query signature matches a spam signature (320).

The output of signature comparator 570 indicates whether the querysignature matches a spam signature and is provided to mail forwarder580. Mail forwarder 580 also receives the incoming e-mail. Based on theoutput of signature comparator 570, mail forwarder 580 forwards theincoming e-mail as appropriate. Particularly, if the signaturecomparator indicates the query signature matches one or more spamsignatures, mail forwarder 580 forwards the incoming e-mail to e-mailhandler 234 with an indication that the incoming e-mail is spam (330).On the other hand, if the output of signature comparator 570 indicatesthat the incoming e-mail does not match a spam signature, then theincoming e-mail is forwarded to e-mail classifier 236 for classification(325).

Referring to FIGS. 4, 6, and 11, e-mail classifier 236 operates in aclassification phase (1100) to classify an incoming e-mail when thee-mail classifier 236 receives the incoming e-mail from duplicatedetector 232 (405). In general, the incoming e-mail is analyzed todetermine whether or not it contains the N attributes of the reducedattribute set (1110). This data is used to obtain a spam score andclassification output for the e-mail (1115). The e-mail is classified bycomparing the classification output to the classification threshold. Theprecise comparison scheme is a matter of design. As one example, if theclassification output is equal to or above the classification threshold(1120), the e-mail is classified as spam (1125). If the classificationoutput is below the classification threshold (1120), the e-mail isclassified as legitimate (1130). If the incoming e-mail is classified asspam (415), then the incoming e-mail is forwarded to e-mail handler 234along with an indication that the e-mail is spam (425). If the incominge-mail is classified as legitimate (415), then the incoming e-mail isforwarded to e-mail handler 234 along with an indication that the e-mailis legitimate (430).

More particularly, and with reference to the long-and-short dashedreference line of FIG. 6, during the classification phase, the incominge-mail 610 c is received from duplicate detector 232 (405). The incominge-mail is input to attribute analyzer 630. Attribute analyzer 630determines whether or not the incoming e-mail has the N attributes ofthe reduced attribute set and constructs an N element attribute vector(1110). Each entry in the N element attribute vector is a binary valuethat indicates whether the N^(th) attribute is present in the incominge-mail.

The N element attribute vector is input into classifier 650, whichapplies the internal classification model to the attribute vector toobtain a spam score that indicates the likelihood that the e-mail isspam and to produce a classification output (1115). The classificationoutput is input to threshold comparator 670.

Threshold comparator 670 applies the comparison scheme (1120) andproduces an output that indicates whether the e-mail is classified asspam (1125) or legitimate (1130). The output of threshold comparator 670is applied to mail forwarder 680.

The incoming e-mail also is input to mail forwarder 680. When the outputof threshold comparator 670 indicates the incoming e-mail is classifiedas spam (415), mail forwarder 680 forwards the incoming e-mail to e-mailhandler 234 along with an indication that the e-mail is spam (425). Whenthe output of threshold comparator 670 indicates the incoming e-mail isclassified as legitimate (415), mail forwarder 680 forwards the incominge-mail to e-mail handler 234 along with an indication that the e-mail islegitimate (430).

FIGS. 12A and 12B are flowcharts showing alternate processes performedby duplicate detector 232 for determining spam signatures and querysignatures. Signature-based duplicate detection techniques that uselexicons may provide false positives when the intersection between theunique attributes U in a document and the lexicon is small, therebydecreasing the precision of the technique. For example, in the I-Matchapproach, when the intersection between the set of unique words in adocument and the lexicon of words is small, the words used to generatethe signature may only be a small portion of the document and,therefore, not very representative of the document. This may result, forinstance, in a long document that has the same or nearly the sameintersection as a different, smaller document, and, consequently, theI-Match approach may indicate that the longer document is the same asthe smaller document, even if this is not the case. In other words, inthe I-Match approach, for example, the signature of a document isdefined as a hashed representation of the intersection S=(L∩U) (where Lis the lexicon and U is the unique words in a document) and thissignature becomes unreliable when

$\frac{S}{U}$becomes too small.

To mitigate such effects, a secondary lexicon of attributes (which maybe less effective in identifying a given document) may be used tosupplement a primary lexicon of attributes when the projection of thedocument onto the primary lexicon of attributes is below a certainthreshold.

Accordingly, in process 1200, when the attribute information 505 isreceived from attribute reducer 640 (1205), the attribute information505 is used to generate a primary lexicon of attributes L and asecondary lexicon of attributes B (1210). For example, when the mutualinformation criterion is used by attribute reducer 640, the attributesare ranked according to their mutual information scores (if not done soalready) and the attributes with the top M scores are designated as thelexicon L. The remaining attributes then may be designated as lexicon B.

Referring to FIG. 12B, secondary lexicon B is then used to supplementprimary lexicon L when the spam signatures and query signatures aregenerated. In process 1220, for a given spam or incoming e-mail d,duplicate detector 232 determines the unique attributes U in e-mail d(1225). When generating spam signatures, e-mail d is one of the e-mailsin the set of known spam e-mails. On the other hand, when generatingquery signatures, e-mail d is the incoming e-mail.

Next, duplicate detector 232 determines the intersection between uniqueattributes U and the primary lexicon L (i.e., duplicate detector 232determines which attributes in U are also in the primary lexicon L)(1230). The intersection is then evaluated to determine if it is above acertain threshold (1235). The threshold may be, for example, a minimumnumber of attributes that is common between the unique attributes U andthe primary lexicon L and/or a minimum proportion of common attributesto the attributes contained in U. For example, the intersection betweenthe unique attributes U and the primary lexicon L may be required tocontain at least a threshold number of attributes (e.g., 5 attributes)or must be at least a threshold proportion or percentage (e.g., 10%) ofthe unique attributes U, whichever is greater. The value of thethreshold is generally a matter of design and may be chosen by thesystem designers through trial and error, with the threshold selected toobtain a target precision of the system.

If the intersection is below the threshold (1235), then attributes fromsecondary lexicon B that also intersect with the unique attributes U areincluded in the intersection to achieve an intersection above thethreshold (1240). For example, attributes that also intersect withunique attributes U may be included from lexicon B in decreasing orderof their MI score until the threshold is reached. This augmentedintersection is then used to calculate the signature for e-mail d (1245)by applying an algorithm that generates a signature to the augmentedintersection. On the other hand, if the original intersection is abovethe threshold, then the original intersection is used to calculate thesignature for e-mail d (1245) by applying an algorithm that generates asignature to the original intersection.

If there is another e-mail in the set of known spam e-mails or anotherincoming e-mail (1250), then process 1220 moves to action 1225 to findthe unique attributes in the other e-mail and the process continues asdescribed above. Otherwise, process 1220 is ended and the signatures areused as spam signatures or compared to a spam signature as a querysignature (1255).

The techniques described above are not limited to any particularhardware or software configuration. Rather, they may be implementedusing hardware, software, or a combination of both. The methods andprocesses described may be implemented as computer programs that areexecuted on programmable computers comprising at least one processor andat least one data storage system. The programs may be implemented in ahigh-level programming language and may also be implemented in assemblyor other lower level languages, if desired.

Any such program will typically be stored on a computer-usable storagemedium or device (e.g., CD-Rom, RAM, or magnetic disk). When read intothe processor of the computer and executed, the instructions of theprogram cause the programmable computer to carry out the variousoperations described above.

A number of implementations have been described. Nevertheless, it willbe understood that various modifications may be made. For example,attribute reducer 640 or lexicon generator 515 may further reduce theattributes used for classification or in the lexicon by grouping“similar” attributes into a smaller set of attribute-clusters and usingthe attribute clusters as the attributes. For example, when theattributes are words, then similar words may be grouped into a smallerset of word-clusters, which are then used as the attributes. Theattributes may be clustered into “similar” attributes by adistributional attribute clustering technique. For example, theAgglomerative Information Bottleneck (IB) algorithm may be used. The IBtechnique chooses attribute clusters so as to maximize the mutualinformation between attribute clusters and classes, while insuring thatrelevant properties of the original attribute distribution are preservedby the new representation. The IB technique is described in N. Slonimand N. Tishby, “The Power of Word Clusters for Text Classification,” in23rd European Colloquium on Information Retrieval Research, 2001,incorporated herein by reference. Another suitable technique for formingword or other attribute clusters is described in L. Baker and A.McCallum, “Distributional Clustering of Words for Text Classification,”in Proceedings of SIGIR-98, 21st ACM International Conference onResearch and Development in Information Retrieval, pages 96-103, 1998,incorporated herein by reference.

In such an implementation, attribute reducer 640 may further reduce theattributes by grouping the N selected attributes using, e.g., the IBtechnique. That is, attribute reducer 640 may calculate the mutualinformation score of the n attributes, rank the scored attributes,select the top N attributes, and then apply the IB technique to the Nattributes to create attribute clusters. These attribute clusters arethen used to create an A-by-m attribute cluster matrix. Each entry inthe A-by-m matrix is a binary value that indicates whether the A^(th)attribute cluster is present in the m^(th) e-mail. The A-by-m matrix isthen used by classifier 650 to generate the internal classificationmodel.

For classification and optimization, the operation of attribute analyzer630 is then adjusted to determine whether the incoming e-mail containsthe A attribute clusters. Attribute analyzer 630 then constructs an Aelement attribute cluster vector for each e-mail, where each entry inthe attribute cluster vector is a binary value that indicates whetherthe A^(th) attribute cluster is contained in the incoming or evaluatione-mail. The attribute cluster vector is then used by classifier 650 todetermine a classification output.

The attribute information 505 transmitted to duplicate detector 232 thenmay contain the attribute clusters. Lexicon generator 515 may thendesignate the lexicon as containing the attribute clusters or a subsetof the attribute clusters. Attribute analyzer 530 is then modified todetermine the unique attribute clusters in an e-mail. The intersectionbetween the unique attribute clusters in the e-mail and the lexicon ofattribute clusters is then determined and used to generate the signaturefor the e-mail.

As an alternative, attribute information 505 may contain the attributesand the information necessary to generate attribute clusters, instead ofthe attribute clusters themselves. In such a situation, lexicongenerator 515 then may create the attribute clusters using a similar ordifferent technique and use them as the lexicon.

As another alternative, e-mail classifier 236 may use attribute clusterswhile duplicate detector 232 does not. Instead, attribute reducer 640may transmit the attribute information 505 including the attributes and,e.g., their respective mutual information scores to duplicate detector232 and lexicon generator 515 may generate the lexicon from theattributes with the top M scores, as described above.

Similarly, duplicate detector 232 may use attribute clusters whilee-mail classifier 236 does not. In this case, e-mail classifier 236 mayuse the top N attributes as described above and attribute information505 may contain the attributes and the information necessary to generateattribute clusters. Lexicon generator 515 then may create the attributeclusters and use them as the lexicon.

The attribute clusters may be formed from all of the attributes, or onlya portion of the attributes; for example, the textual portion of theattributes.

As an example of another modification, in some places in the foregoingdescription an action is described as performed on each e-mail; however,the performance of the actions on each e-mail is not necessarilyrequired. For instance, with respect to spam signatures, a spamsignature may not be obtained for each known spam e-mail because ofcertain restrictions placed on signatures, such as a requirement thatthe intersection be above a threshold before a signature is generated.Thus, if an intersection above a certain threshold can not be obtainedfor a particular spam e-mail, then the e-mail may be ignored and asignature not generated for it. Similarly, there may be restrictions onthe number of unique attributes required. For instance, a spam e-mailmay be required to contain a minimum number of unique attributes (e.g.,5) before it is used.

In addition, while described as classifying e-mail as either spam orlegitimate, e-mail classifier 236 may be designed to classify e-mailinto more than just those two classes. For instance, e-mail classifiermay be designed and trained to classify e-mail not only as legitimate,but to further classify legitimate e-mail into one of a plurality ofsubcategories of legitimate e-mail. As an example, legitimate mail mayhave the following subcategories: personal, business related, e-commercerelated, mailing list, and promotional. Personal e-mails are those thatare exchanged between friends and family. Business related e-mails aregenerally those that are exchanged between co-workers or current and/orpotential business partners. E-commerce related e-mails are those thatare related to online purchases, such as registration, order, orshipment confirmations. Mailing list e-mails are those that relate toe-mail discussion groups to which users may subscribe. Promotionale-mail are the commercial e-mails that users have agreed to receive aspart of some agreement, such as to view certain content on a web site.

Also, whether or not e-mail classifier 236 is specifically designed toclassify legitimate e-mail into subcategories, classifier 236 may bedesigned to take into account the varying misclassification costs ofmisclassifying e-mail in a given subcategory of legitimate e-mail asspam. For instance, misclassifying a personal e-mail as spam typicallyis considered more costly than misclassifying a business related messageas spam. But it may be considered more costly to misclassify a businessrelated e-mail as spam than misclassifying a promotional e-mail as spam.These varying misclassification costs may be taken into account bothduring training and when setting the classification threshold.

Training a classifier to develop a classification model that takes intoaccount such varying misclassification costs generally is known anddescribed in A. Kolcz and J. Alspector, “SVM-based Filtering of E-mailSpam with Content-specific Misclassification Costs,” ICDM-2001 Workshopon Text Mining (TextDM-2001), November 2001.

When setting the initial threshold, such varying costs can be taken intoaccount by setting:

${cost} = {\sum\limits_{cat}{{P\left( {\left. {cat} \middle| l \right.,x} \right)}{C\left( {s,{cat}} \right)}}}$where P(cat|l,x) is the probability that a particular legitimate e-mailx belongs to the subcategory cat (e.g., personal, business related,e-commerce related, mailing list, or promotional) and C(s,cat) is thecost of misclassifying a legitimate e-mail belonging to the subcategorycat as spam.

The following is an exemplary list of subcategories cat and an exemplarycost C(s,cat) that may be used:

Subcategory cat Misclassification Cost C(s, cat) Personal 1000 BusinessRelated 500 E-commerce related 100 Mailing List Related 50 Promotional25

As another example of an alternative implementation; instead of using athreshold that fully minimizes the misclassification costs (i.e.,reduces the misclassification cost to the minimized cost level), athreshold could instead be chosen that reduces the misclassificationcosts to a predetermined level above the minimized cost level.

Further, while an implementation that adjusts an initial classificationthreshold value has been shown, other implementations may adjust theclassification output to achieve the same affect as adjusting theclassification threshold, as will be apparent to one of skill in theart. Thus, in other implementations, instead of a threshold selector, aclassification output tuning function may be used to adjust thealgorithm for producing classification outputs from the spam or otherclass score to obtain the same effect as a change in the classificationthreshold value. To do so, the classification output tuning function mayevaluate a number of algorithm adjustments and choose the one thatresults in minimum misclassification costs.

As yet another example, the foregoing description has described ane-mail classifier 236 and duplicate detector 232 that forwards e-mail toan e-mail handler 232 along with an indication of whether the e-mail isspam or legitimate. However, in some implementations, it may not benecessary to forward the e-mail at all. For instance, the e-mailclassifier 236 or duplicate detector 232 may be designed to handle thee-mail appropriately based on the e-mails classification or whether thee-mail is a duplicate.

In addition, “classifying” a message does not necessarily have toinclude explicitly marking something as belonging to a class orproviding an explicit indication that something belongs to a class.Rather, classifying may simply include providing the message with aclassification output. A message then may be handled differently basedon its score. For example, e-mail classifier 236 may not includethreshold comparator 670. Instead, classifier 650 marks the e-mail withthe classification output and the e-mail with classification output isthen forwarded by mail forwarder 680 to e-mail handler 234. E-mailhandler 234 then may handle the e-mail according to the classificationoutput. For example, a message may be displayed differently based on theclassification output. A first message, for instance, may be displayedin a darker shade of red (or other color) than a second message if theclassification output of the first message is higher than theclassification output of the second message (assuming a higherclassification output indicates a greater chance the message is spam).

Also, while a binary attribute representation is described for e-mailclassifier 236, one of skill in the art will appreciate that other typesof representations may be used. For example, a term frequency-inversedocument frequency (tf-idf) representation or a term frequency (tf)representation may be used. Also, for non-text attributes, non-binaryrepresentations may additionally or alternatively be used. For example,if video or audio data is included, the attributes may include,respectively, color intensity or audio level. In this case, the colorintensity or audio level attributes may be stored in a representationthat indicates their levels, not just whether they exist or not (i.e.,their analog values may be stored and used). In addition, attributessuch as the time of day a message was received or sent may be used andstored as a real value.

Various phases and actions of the processes described may be performedonline (i.e., while duplicate detector 232 and e-mail classifier 236 arereceiving unknown e-mails for classification) or offline (i.e., whenduplicate detector 232 and e-mail classifier 236 are not receivingunknown messages for classification). Typically, the spam signaturedevelopment, training, and optimization phases (including thresholdselection) may be performed offline, while the duplicate detection andclassification phases are online phases. However, in someimplementations, some actions may be performed dynamically whileduplicate detector 232 and e-mail classifier 236 are online. Forinstance, threshold selection may be performed dynamically while e-mailclassifier 236 is online to adjust the threshold based oncharacteristics of the incoming e-mail stream.

Furthermore, while shown as operating in series, in otherconfigurations, duplicate detector 232 and e-mail classifier 236 mayoperate in parallel. In addition, other configurations may not onlyshare attribute information from e-mail classifier 236 to duplicatedetector 232, but also from duplicate detector 232 to e-mail classifier236. In such cases, the attributes used by duplicate detector 232 ande-mail classifier 236 may be a compromise between methods particular toone or the other or both.

In other implementations where the foregoing techniques are applied tospam filtering in other messaging media or other areas ofclassification, the attributes may be other features of the particularitems being classified. For instance, the attributes may be n-grams,image features, sound features, or features extracted from other formsof media.

Accordingly, other implementations are within the scope of the followingclaims.

What is claimed is:
 1. A method comprising: receiving an electronicdocument; analyzing, using at least one processor, the electronicdocument to extract a number of first attributes from the electronicdocument, the number of first attributes selected from a first attributeset; obtaining a first classification output for the electronic documentbased upon the number of first attributes extracted from the electronicdocument; if the first classification output for the electronic documentis above a first threshold, withholding delivery of the electronicdocument; if the first classification output for the electronic documentis below the first threshold, analyzing the electronic document toextract a number of second attributes from the electronic document, thenumber of second attributes selected from a second attribute set, andobtaining a second classification output for the electronic documentbased upon the number of second attributes extracted from the electronicdocument; if the second classification output for the electronicdocument is above a second threshold, withholding delivery of theelectronic document; and if the second classification output for theelectronic document is below the second threshold, delivering theelectronic document.
 2. The method of claim 1, further comprisingreceiving a plurality of known spam electronic documents.
 3. The methodof claim 2, further comprising: analyzing each of the plurality of knownspam electronic documents; and determining a plurality of uniqueattributes for each of the known spam electronic documents.
 4. Themethod of claim 3, wherein the plurality of unique attributes compriseat least one of textual identifiers, hypertext markup languageidentifiers, or non-textual identifiers.
 5. The method of claim 3,further comprising creating the first attribute set and the secondattribute set based on the plurality of unique attributes determinedfrom the plurality of known spam electronic documents.
 6. The method ofclaim 3, further comprising associating a ranking with each of theplurality of unique attributes based on how indicative each of theplurality of unique attributes is of the likelihood of an electronicdocument being spam.
 7. The method of claim 6, further comprisingobtaining the first classification output and the second classificationoutput for the electronic document based on the ranking associated witheach of the number of attributes present in the electronic document. 8.The method of claim 1, further comprising: determining a weightassociated with each of the number of first attributes; determining aweight associated with each of the number of second attributes;generating the first classification output for the electronic documentbased at least in part on the weight associated with each of the numberof first attributes; and generating the second classification output forthe electronic document based at least in part on the weight associatedwith each of the number of second attributes.
 9. The method of claim 1,further comprising enabling a user to modify the first classificationoutput and the second classification output for the electronic document.10. The method of claim 1, wherein the electronic document comprises avideo file.
 11. A method comprising: generating, using at least oneprocessor, a first attribute set and a second attribute set for use inclassifying electronic documents; receiving an electronic documenthaving an unknown query signature; analyzing the electronic document todetermine whether the electronic document contains one or moreattributes selected from the first attribute set; making a firstdetermination as to whether the electronic document contains a number ofattributes selected from the first attribute set above a firstthreshold; classifying the electronic document based on the firstdetermination; if the electronic document does not contain a number ofattributes selected from the first attribute set above the firstthreshold, analyzing the electronic document to determine whether theelectronic document contains one or more attributes selected from thesecond attribute set; making a second determination as to whether theelectronic document contains a number of attributes selected from thesecond attribute set above the second threshold; and classifying theelectronic document based on the second determination.
 12. The method ofclaim 11, further comprising assigning a query signature to theelectronic document based on the classification of the electronicdocument.
 13. The method of claim 12, further comprising: comparing thequery signature of the electronic document with one or more querysignatures of known spam electronic documents; and forwarding theelectronic document based on whether the query signature of theelectronic document matches the one or more query signatures of theknown spam electronic documents.
 14. The method of claim 11, furthercomprising associating a weight with each attribute in the firstattribute set and with each attribute in the second attribute set,wherein each weight is indicative of the likelihood that an electronicdocument that contains the attribute is spam.
 15. The method of claim14, further comprising modifying the classification of the electronicdocument based on the weight of each attribute contained in theelectronic document.
 16. The method of claim 11, wherein the electronicdocument comprises an audio file.
 17. The method of claim 11, furthercomprising enabling a user to modify the classification of theelectronic document.
 18. A system comprising: at least one processor;and at least one non-transitory computer readable medium storinginstructions thereon that, when executed by at least one process, causethe system to: receive an electronic document; analyze the electronicdocument to extract a first number of attributes from the electronicdocument, the number of first attributes selected from a first attributeset; obtain a first classification output for the electronic documentbased upon the number of first attributes extracted from the electronicdocument; if the first classification output for the electronic documentis above a first threshold, withhold delivery of the electronic documentbased; if the first classification output for the electronic document isbelow the first threshold, analyze the electronic document to extract anumber of second attributes from the electronic document, the number ofsecond attributes selected from a second attribute set, and obtain asecond classification output for the electronic document based upon thenumber of second attributes extracted from the electronic document; ifthe second classification output for the electronic document is above asecond threshold, withhold delivery of the electronic document; and ifthe second classification output for the electronic document is belowthe second threshold, deliver the electronic document.
 19. The system ofclaim 18, wherein the at least one processor is further caused to:receive a plurality of known spam electronic documents; and determine aplurality of unique attributes from the plurality of known spamelectronic documents.
 20. The system of claim 19, wherein the firstattribute set and the second attribute set each comprise at least aportion of the plurality of unique attributes determined from theplurality of known spam electronic documents.
 21. The system of claim18, wherein the at least one processor is further caused to enable auser to modify the first classification output and the secondclassification output for the electronic document.